Because rtshark copies pyshark and prefers "show" over "value", useful information from tshark's output can be inaccessible. For example, I was trying to collect all the TLS records associated with a TLS handshake message. Those fields look like:
So Metadata::value for "tls.handshake.fragment" might give me "9", which is the frame number of the packet containing the fragment. I can then use that frame number to look up the packet containing the fragment and call "tcp.payload" / "tcp.reassembled.data" on it to get the fragment data. However, if I could just access "value" instead of "show", I could skip all that extra manual work.
This isn't a blocker for me. Even if the PR is accepted I might keep manually collecting the TLS records from TCP payloads instead of using the fragments, because the TCP payloads include the TLS record headers, which is kind of nice. It was just mildly annoying that I could see the data I needed in tshark, but couldn't access it from rtshark.
I'm not a huge fan of "raw_value" as a name for the new method, but "value" is already taken so it was the best I could come up with. I'm also not sure if the potential increase in the size of the Metadata is a problem. At least for my use case, "value" is significantly larger than "show", so I can definitely see that being a concern.
Because rtshark copies pyshark and prefers "show" over "value", useful information from tshark's output can be inaccessible. For example, I was trying to collect all the TLS records associated with a TLS handshake message. Those fields look like:
So Metadata::value for "tls.handshake.fragment" might give me "9", which is the frame number of the packet containing the fragment. I can then use that frame number to look up the packet containing the fragment and call "tcp.payload" / "tcp.reassembled.data" on it to get the fragment data. However, if I could just access "value" instead of "show", I could skip all that extra manual work.
This isn't a blocker for me. Even if the PR is accepted I might keep manually collecting the TLS records from TCP payloads instead of using the fragments, because the TCP payloads include the TLS record headers, which is kind of nice. It was just mildly annoying that I could see the data I needed in tshark, but couldn't access it from rtshark.
I'm not a huge fan of "raw_value" as a name for the new method, but "value" is already taken so it was the best I could come up with. I'm also not sure if the potential increase in the size of the Metadata is a problem. At least for my use case, "value" is significantly larger than "show", so I can definitely see that being a concern.